Case Study: California's CCPA/CPRA: The American Experiment

"California has become the de facto privacy regulator for the United States. That was never the plan — but in the absence of federal action, someone had to act." — Alastair Mactaggart, chairman, Californians for Consumer Privacy

Overview

In the absence of a comprehensive federal data protection law, California took matters into its own hands. The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, was the first state law in the United States to grant consumers GDPR-like rights over their personal information. Its successor amendment, the California Privacy Rights Act (CPRA), passed as a ballot initiative in November 2020 and took full effect in 2023, strengthening protections and creating a dedicated enforcement agency.

Together, the CCPA and CPRA represent the most significant experiment in American data protection — a state-level effort to fill a gap that Congress has failed to address. This case study examines the origins of the California model, its mechanisms, its impact on businesses and consumers, and its role as a catalyst for the broader state privacy law movement.

Skills Applied: - Analyzing the political dynamics that produce data protection legislation - Comparing a state-level regulatory approach to both federal sectoral law and the GDPR model - Evaluating the effectiveness of consumer rights provisions in practice - Assessing the implications of state-level fragmentation for national data governance

The Origins: Alastair Mactaggart and the Ballot Initiative

An Unlikely Privacy Champion

The CCPA did not originate in a legislative committee or an advocacy organization. It began with a conversation at a cocktail party.

In 2017, Alastair Mactaggart, a San Francisco real estate developer, asked a Google engineer at a social gathering what kind of data Google collected about its users. The engineer's response — described by Mactaggart as candid and alarming — convinced him that consumers had no meaningful control over their personal information and that companies had no incentive to change.

Mactaggart, who had no background in technology law or privacy policy, decided to act. He assembled a team of privacy attorneys and began drafting a ballot initiative — a mechanism unique to California politics that allows citizens to place proposed laws directly before voters, bypassing the legislature entirely.

The Legislative Bargain

Mactaggart's ballot initiative, formally titled the "California Consumer Privacy Act of 2018," qualified for the November 2018 ballot. The technology industry was alarmed. Ballot initiatives, once passed, are extremely difficult to amend — the legislature can modify them only with a supermajority vote, and only if the modification is "consistent with" the initiative's intent.

Facing a ballot initiative they could not control, industry lobbyists and sympathetic legislators offered Mactaggart a deal: if he withdrew the ballot initiative, the legislature would pass a negotiated version as a statute (which would be easier to amend later). Mactaggart agreed — but only after extracting commitments on core provisions.

The result was Assembly Bill 375, the California Consumer Privacy Act, signed by Governor Jerry Brown on June 28, 2018. It was one of the fastest-moving pieces of significant legislation in California history — passed in seven days from introduction to signature. The speed showed: the final text contained ambiguities, drafting errors, and gaps that would require subsequent amendment.

The CCPA Framework

Key Rights

The CCPA, effective January 1, 2020, granted California consumers four fundamental rights:

1. Right to Know: Consumers could request that businesses disclose what personal information they had collected, the sources of that information, the purposes for collection, and the third parties with whom it was shared.

2. Right to Delete: Consumers could request the deletion of their personal information, subject to specified exceptions (legal obligations, fraud detection, certain internal uses).

3. Right to Opt-Out of Sale: Consumers could direct businesses not to "sell" their personal information. The definition of "sale" was broad — it included not just monetary transactions but any exchange of personal information for "valuable consideration."

4. Right to Non-Discrimination: Businesses could not deny goods or services, charge different prices, or provide a different quality of service to consumers who exercised their CCPA rights.

Scope and Thresholds

Unlike the GDPR, which applies to virtually all data processing, the CCPA applied only to for-profit businesses meeting at least one of three thresholds:

• Annual gross revenue exceeding $25 million
• Annually buying, selling, or sharing the personal information of 50,000 or more consumers, households, or devices
• Deriving 50% or more of annual revenue from selling consumers' personal information

These thresholds meant that small businesses were largely exempt — a deliberate choice to reduce compliance burden, but one that left consumers unprotected when dealing with smaller data-intensive companies.

Enforcement

The CCPA was enforced by the California Attorney General's office, which had authority to seek civil penalties of up to $2,500 per violation (or $7,500 per intentional violation). The law also included a limited private right of action — consumers could sue directly, but only in cases involving data breaches resulting from a business's failure to implement reasonable security measures, with statutory damages of $100-$750 per consumer per incident.

The CPRA: Strengthening the Framework

From Amendment to Ballot Initiative

Despite the legislative bargain, Mactaggart concluded by 2019 that the CCPA needed strengthening. Industry lobbying had weakened several provisions during the amendment process, and enforcement by the Attorney General's office — which had many other responsibilities — was limited.

Mactaggart returned to the ballot initiative process. Proposition 24, the California Privacy Rights Act, appeared on the November 2020 ballot and passed with 56% of the vote. The CPRA took effect on January 1, 2023 (with a lookback period to January 1, 2022).

Key Enhancements

The CPRA made several significant additions to California's privacy framework:

New rights: - Right to Correct: Consumers could request the correction of inaccurate personal information — a right the CCPA had lacked. - Right to Limit Use of Sensitive Personal Information: A new category of "sensitive personal information" (including precise geolocation, racial or ethnic origin, health data, financial account information, and biometric data) was created, and consumers could limit its use to purposes necessary for providing the requested service.

New enforcement: - California Privacy Protection Agency (CPPA): The CPRA created a dedicated enforcement agency — the first state-level data protection authority in the United States. The CPPA was given investigative and enforcement powers, a dedicated budget, and a board appointed through a process designed to ensure independence.

Strengthened provisions: - The definition of "sharing" was expanded to cover cross-context behavioral advertising, closing a loophole that had allowed data exchanges to escape the "sale" opt-out. - Purpose limitation and data minimization principles were added, requiring businesses to collect only personal information that was "reasonably necessary and proportionate" to the disclosed purposes. - Automated decision-making provisions were introduced, giving consumers the right to opt out of profiling and to access information about the logic involved.

Impact and Assessment

Impact on Business Practices

The CCPA/CPRA's impact on business practices has been significant, though uneven:

Compliance investment. Large companies invested heavily in compliance. The International Association of Privacy Professionals (IAPP) estimated that CCPA compliance cost large enterprises $1-3 million in initial implementation, with ongoing annual costs of $200,000-500,000. For many companies, these investments created privacy infrastructure that was then extended nationally — a California-specific version of the Brussels Effect.

"Do Not Sell" links. The CCPA's opt-out requirement produced a visible change on consumer-facing websites: the "Do Not Sell My Personal Information" link that appeared on thousands of homepages. The CPRA updated this to "Do Not Sell or Share My Personal Information." However, consumer engagement with these links remained low — studies estimated that fewer than 5% of eligible consumers exercised the opt-out.

Data mapping. Perhaps the CCPA/CPRA's most significant practical impact was forcing companies to understand their own data practices. The requirement to respond to "Right to Know" requests meant that businesses had to map what data they collected, from whom, and where it went — an exercise that many organizations had never performed.

The Enforcement Record

Enforcement under the CCPA/CPRA has been deliberate but limited:

• The Attorney General's office focused initially on sending "cure notices" — letters informing companies of alleged violations and giving them 30 days to comply. This approach produced compliance improvements but few public penalties.
• The first significant enforcement action under the CCPA was against Sephora in 2022, resulting in a $1.2 million settlement for failing to disclose the sale of consumer data and failing to process opt-out requests via the Global Privacy Control browser signal.
• The CPPA, operational from 2023, has been building its enforcement capacity but had, by 2025, issued relatively few public enforcement actions, drawing criticism from privacy advocates who had hoped for more aggressive action.

The Domino Effect: State Privacy Laws Proliferate

The CCPA/CPRA's most significant impact may be the legislative movement it catalyzed. By 2025, twenty states had enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others. While these laws differ in important details — scope thresholds, consumer rights, enforcement mechanisms, private right of action — they share a common DNA traceable to the CCPA/CPRA and, through it, to the GDPR.

This proliferation created its own challenges. Companies operating nationally faced a patchwork of state laws with different requirements, different definitions, and different enforcement mechanisms — precisely the kind of regulatory fragmentation that a federal law would resolve.

Comparison to the GDPR

The CCPA/CPRA and the GDPR share core concepts — transparency, individual rights, purpose limitation — but differ in fundamental respects:

The most fundamental difference is philosophical. The GDPR operates on an opt-in model: processing requires justification. The CCPA/CPRA operates on an opt-out model: processing is permitted unless the consumer takes affirmative steps to restrict it. This difference reflects the underlying regulatory philosophies described in Section 20.1 — the EU's rights-based approach versus the American tradition of default market freedom with targeted consumer protections.

Discussion Questions

1. Mactaggart used the ballot initiative process to bypass legislative gridlock. What are the democratic advantages and disadvantages of using direct democracy (ballot initiatives) to create complex regulatory frameworks? Is data protection law well-suited to this process?

2. The CCPA's opt-out model places the burden on consumers to act. The GDPR's consent model places the burden on companies to justify processing. Which approach better protects consumer interests? Which is more practical? Can you design a hybrid that combines the strengths of both?

3. Twenty states have now enacted comprehensive privacy laws. Is this state-level experimentation beneficial (producing diverse approaches from which a federal standard can eventually draw) or harmful (creating a patchwork that burdens businesses and confuses consumers)?

4. The CPRA's creation of the California Privacy Protection Agency represents a new model for US enforcement: a state-level data protection authority. If other states created similar agencies, what would the implications be for national data governance?

Your Turn: Mini-Project

Option A: Research the Global Privacy Control (GPC) browser signal, which the CCPA/CPRA requires businesses to honor as a valid opt-out request. Test whether five major websites honor the GPC signal. Document your findings and assess whether automated opt-out mechanisms are more effective than manual "Do Not Sell" links.

Option B: Compare the California CPRA to the privacy law of one other US state. Create a detailed side-by-side comparison on at least six dimensions. Write a one-page analysis of which law provides stronger consumer protection and why.

Option C: Read the CPPA's published enforcement actions and regulatory proceedings. Write a two-page assessment of the agency's enforcement strategy: Is it prioritizing large companies or small? Systemic practices or individual violations? Consumer-facing transparency or behind-the-scenes data processing? What does the pattern suggest about the agency's institutional priorities?

References

• California Legislative Information. "AB 375: California Consumer Privacy Act of 2018." Sacramento, 2018.

• California Privacy Protection Agency. CPRA Regulations — Final Text. Sacramento, 2022.

• Mactaggart, Alastair. "Why I Spent $6 Million to Protect Privacy." The New York Times, November 4, 2019.

• International Association of Privacy Professionals (IAPP). "US State Privacy Legislation Tracker." Updated regularly at https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

• Office of the California Attorney General. "Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of the California Consumer Privacy Act." Press release, August 24, 2022.

• Schwartz, Paul M. "The Data Privacy Law of Brexit and CCPA." UCLA Law Review 68, no. 1 (2021).

• Solove, Daniel J., and Paul M. Schwartz. "ALI Restatement of the Law, Consumer Data Privacy." American Law Institute, ongoing.